Filtering traffic from LOCAL interfaces to WAN IPs with NAT+Proxy Activated



  • Hello everyone,

    We are facing a filtering leak that we would like to address.

    We have two local private networks (10.0.1.0/24 and 10.0.2.0/24) that can communicate with the outside world and they are isolated one with each other by a filtering rule that avoids traffic to private segments (10.0.0.0/8, 192.168.0.0/16 and 172.16.0.0/12. The WAN IP's assigned to LAN1 and LAN2 have NAT+Proxy feature activated to enable the local machines of LAN1 of LAN2 to communicate with the public IPs.

    The problem arises when a machine inside of LAN1 10.0.1.0/24 makes a request to a WAN IP of LAN2. pfsense captures that traffic and rewrites de request, so the petition comes from the GW of LAN2 10.0.2.1. This makes very difficult to filter the communication to avoid LAN1 to communicate with services exposed on LAN2, because the origin is rewriten.

    Any ideas or workarounds?

    Best Regards,
    Alberto Picón



  • @rhawk1es:

    This makes very difficult to filter the communication to avoid LAN1 to communicate with services exposed on LAN2, because the origin is rewriten.

    If you don't want that communication why using NAT reflection?

    @rhawk1es:

    Any ideas or workarounds?

    Try pure NAT if you need NAT reflection, or set up a split DNS.



  • We need NAT reflection because LAN2 communicates internally with the WAN CARP public IP by customer request. We need to avoid LAN1 to be able to connect to the public IP.

    In fact, LAN2 exposes a Web server with ACL on it. These ACLs allows requests from LAN2 segment. When a request is made from LAN1 to the WAN IP, the firewall NAT reflects the requests and the request is rewritten as it was done from LAN2 GW, allowing the access.

    We could mitigate this by disabling the NAT reflection feature and using an internal DNS to resolve LAN2 requests with private segments instead of using public IPs. But I wonder if there exists any other workaround to solve it, by applying any kind of filtering on LAN1…



  • As metioned, you may use NAT reflection "pure NAT" on an actual pfSense version. That causes requests from LAN1 to arrive with their origin source address, while requests from LAN2 devices will have the pfSense interface address as source.



  • Thank you very much for your suggestion.

    I've tried to search about the behaviour of Pure NAT functionality without success. What is the main difference between Pure NAT and NAT+proxy?

    Best Regards



  • Aside of what you can find in the pfSens docs (https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks), I have recorded that in the proxy mode access to destination devices passes irrespective of firewall rules.

    So if you have luck with pure NAT mode, I suggest to use this one.